{
  "threat_severity" : "Low",
  "public_date" : "2022-04-13T00:00:00Z",
  "bugzilla" : {
    "description" : "Framework: Data Binding Rules Vulnerability",
    "id" : "2075441",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2075441"
  },
  "cvss3" : {
    "cvss3_base_score" : "5.3",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
    "status" : "verified"
  },
  "cwe" : "CWE-20",
  "details" : [ "In Spring Framework versions 5.3.0 - 5.3.18, 5.2.0 - 5.2.20, and older unsupported versions, the patterns for disallowedFields on a DataBinder are case sensitive which means a field is not effectively protected unless it is listed with both upper and lower case for the first character of the field, including upper and lower case for the first character of all nested fields within the property path." ],
  "affected_release" : [ {
    "product_name" : "Red Hat AMQ 7.10.0",
    "release_date" : "2022-06-16T00:00:00Z",
    "advisory" : "RHSA-2022:5101",
    "cpe" : "cpe:/a:redhat:amq_broker:7",
    "package" : "springframework"
  }, {
    "product_name" : "Red Hat Fuse 7.11",
    "release_date" : "2022-07-07T00:00:00Z",
    "advisory" : "RHSA-2022:5532",
    "cpe" : "cpe:/a:redhat:jboss_fuse:7",
    "package" : "springframework"
  } ],
  "package_state" : [ {
    "product_name" : "A-MQ Clients 2",
    "fix_state" : "Not affected",
    "package_name" : "springframework",
    "cpe" : "cpe:/a:redhat:a_mq_clients:2"
  }, {
    "product_name" : "Logging Subsystem for Red Hat OpenShift",
    "fix_state" : "Fix deferred",
    "package_name" : "springframework",
    "cpe" : "cpe:/a:redhat:logging:5"
  }, {
    "product_name" : "Red Hat build of Quarkus",
    "fix_state" : "Not affected",
    "package_name" : "springframework",
    "cpe" : "cpe:/a:redhat:quarkus:2"
  }, {
    "product_name" : "Red Hat Data Grid 8",
    "fix_state" : "Not affected",
    "package_name" : "springframework",
    "cpe" : "cpe:/a:redhat:jboss_data_grid:8"
  }, {
    "product_name" : "Red Hat Decision Manager 7",
    "fix_state" : "Fix deferred",
    "package_name" : "springframework",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_brms_platform:7"
  }, {
    "product_name" : "Red Hat Integration Camel K 1",
    "fix_state" : "Fix deferred",
    "package_name" : "springframework",
    "cpe" : "cpe:/a:redhat:integration:1"
  }, {
    "product_name" : "Red Hat Integration Camel Quarkus 1",
    "fix_state" : "Fix deferred",
    "package_name" : "springframework",
    "cpe" : "cpe:/a:redhat:camel_quarkus:2"
  }, {
    "product_name" : "Red Hat Integration Data Virtualisation Operator",
    "fix_state" : "Out of support scope",
    "package_name" : "springframework",
    "cpe" : "cpe:/a:redhat:integration:1"
  }, {
    "product_name" : "Red Hat JBoss Data Grid 7",
    "fix_state" : "Out of support scope",
    "package_name" : "springframework",
    "cpe" : "cpe:/a:redhat:jboss_data_grid:7"
  }, {
    "product_name" : "Red Hat JBoss Data Virtualization 6",
    "fix_state" : "Out of support scope",
    "package_name" : "springframework",
    "cpe" : "cpe:/a:redhat:jboss_data_virtualization:6"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform 6",
    "fix_state" : "Out of support scope",
    "package_name" : "springframework",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:6"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform 7",
    "fix_state" : "Not affected",
    "package_name" : "springframework",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform Expansion Pack",
    "fix_state" : "Not affected",
    "package_name" : "springframework",
    "cpe" : "cpe:/a:redhat:jbosseapxp"
  }, {
    "product_name" : "Red Hat JBoss Fuse 6",
    "fix_state" : "Out of support scope",
    "package_name" : "springframework",
    "cpe" : "cpe:/a:redhat:jboss_fuse:6"
  }, {
    "product_name" : "Red Hat JBoss Fuse Service Works 6",
    "fix_state" : "Out of support scope",
    "package_name" : "springframework",
    "cpe" : "cpe:/a:redhat:jboss_fuse_service_works:6"
  }, {
    "product_name" : "Red Hat OpenShift Application Runtimes",
    "fix_state" : "Not affected",
    "package_name" : "springframework",
    "cpe" : "cpe:/a:redhat:openshift_application_runtimes:1.0"
  }, {
    "product_name" : "Red Hat Process Automation 7",
    "fix_state" : "Fix deferred",
    "package_name" : "springframework",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_bpms_platform:7"
  }, {
    "product_name" : "Red Hat Single Sign-On 7",
    "fix_state" : "Not affected",
    "package_name" : "springframework",
    "cpe" : "cpe:/a:redhat:red_hat_single_sign_on:7"
  }, {
    "product_name" : "Red Hat support for Spring Boot",
    "fix_state" : "Not affected",
    "package_name" : "springframework",
    "cpe" : "cpe:/a:redhat:openshift_application_runtimes:1.0"
  }, {
    "product_name" : "streams for Apache Kafka",
    "fix_state" : "Not affected",
    "package_name" : "springframework",
    "cpe" : "cpe:/a:redhat:amq_streams:1"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2022-22968\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-22968\nhttps://tanzu.vmware.com/security/cve-2022-22968" ],
  "name" : "CVE-2022-22968",
  "csaw" : false
}